PDA

View Full Version : CMdservice and slow responses



Ihatespyware
2005-12-25, 20:11
Hi,

I just entered a few spyware containing sites I got alot of problems, I did a aw-aware en Spybot S/D scan but I still cant get ride of cmdservice.

And I also noticed my internet isnt using optimal speed.

here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 19:03:26, on 25-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\inet20003\services.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\inet20003\mm4.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Bryan\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\hrn6055se.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

LonnyRJones
2005-12-26, 14:18
Hello Ihatespyware, (me to)

Was your desktop hijacked ?

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\inet20003\services.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O4 - HKCU\..\Run: [Shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20003\services.exe
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\hrn6055se.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: ssldr - C:\WINDOWS\SYSTEM32\ssldr32.dll
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.
There will be more to do, stick with us.

Ihatespyware
2005-12-26, 16:05
Logfile of HijackThis v1.99.1
Scan saved at 15:05:02, on 26-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Bryan\Bureaublad\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\yayqiw.exe reg_run
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\sesvc.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\l4j80e1ueh.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

LonnyRJones
2005-12-27, 03:17
Hi

Download L2mfix (new version) from one of these two locations:
http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe
Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.
Note:
If you receive while running option #1, an error similar to: ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."...then please use option 5 or the web page link in the l2mfix folder to solve this error condition. do not run the fix portion without fixing this first.

If it is to large to post in one reply do so in two please

Ihatespyware
2005-12-27, 10:24
Hi this is the log (seperatied into 2 replies):

L2MFIX find log 121605
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvr8099ue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{03BBE7A9-A696-5428-0201-499035B2B7BE}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Eigenschappenvenster van multimediabestand"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM-scannerbeheer"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="Het tabblad Beveiliging"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="Eigenschappenblad voor OLE-docbestand"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldschermadapter"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Monitor"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Configuratiescherm-uitbreiding Beeldscherm-panning"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="Het tabblad Beveiliging"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibiliteitspagina"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Knipselgegevensverwerker van shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Schijfkopieer-uitbreiding"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell-uitbreidingen voor Microsoft Windows Network-objecten"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM-monitorbeheer"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM-printerbeheer"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell-uitbreidingen voor bestandscompressie"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Shell-uitbreiding voor Web Printer"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Snelmenu Codering"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Werkmap"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal-pictogramuitbreiding"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC-profiel"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Het tabblad Beveiliging voor printers"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell-uitbreidingen voor delen"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO-extensie"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto-handtekeningextensie"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Netwerkverbindingen"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Netwerkverbindingen"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners en camera's"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners en camera's"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners en camera's"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners en camera's"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners en camera's"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shellextensies voor Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Geplande taken"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taakbalk en menu Start"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Zoeken"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help en ondersteuning"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Uitvoeren..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Lettertypen"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Systeembeheer"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Eigenschappenpagina van vorige versies"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Vorige versies"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet-werkbalk"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Downloadstatus"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Uitgebreide shell-map"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Uitgebreide shell-map 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft-browserbalk"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Zoekbalk"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Zoeken binnen deelvenster"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Zoeken op het web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Hulpprogramma met opties voor registerboomstructuur"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Adres"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoAanvullen"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU-lijst voor AutoAanvullen"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Aangepaste MRU-lijst voor AutoAanvullen"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Toegankelijk"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Pop-upbalk Volgen"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lijst voor AutoAanvullen: Microsoft Geschiedenis"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lijst voor AutoAanvullen: Microsoft Shell-map"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft-container met meervoudige lijst voor AutoAanvullen"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Sitemenu van shell-band"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Gebruikersondersteuning"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Globale mapinstellingen"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url-geschiedenisservice"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="Geschiedenis"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Tijdelijke Internet-bestanden"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url-zoeken Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite-welkomstscherm"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="Het Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer-band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="Cachemap van ActiveX"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Map met abonnementen"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Toepassingsbeheer"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Programma voor inventarisatie van gečnstalleerde toepassingen"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI- en bestandsextractieprogramma voor miniaturen"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Informatie over de handler voor miniatuurweergaven (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML-extractie voor miniatuurweergaven"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Wizard Webpublicaties"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Afdrukken via het web bestellen"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell-object voor publicatiewizard"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Wizard Passport"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Gebruikersaccounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Kanaal-bestand"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Kanaal-snelkoppeling"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Handler-object voor kanalen"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Map Off line bestanden"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Personen..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Webmappen"
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"
"{B327765E-D724-4347-8B16-78AE18552FC3}"="NeroDigitalIconHandler"
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}"="NeroDigitalPropSheetHandler"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{1049D598-CE1E-44CF-9AF8-D239A159034B}"=""
"{51040173-2478-46CC-B85E-7E74FA544F0A}"=""
"{3B828DF8-3DB4-44B0-A094-E52F8351EDA6}"=""
"{D4C35503-0523-4E14-9073-D6CEF483D58A}"=""
"{EDAD5464-FE7A-4D06-A68F-DC2900527A2D}"=""
"{7BA9E3A9-AC70-42FE-8902-F3C1BBCF29BE}"=""
"{489251CE-8AFA-43B7-89AE-7CD83CEC82F9}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{1049D598-CE1E-44CF-9AF8-D239A159034B}]

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{51040173-2478-46CC-B85E-7E74FA544F0A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51040173-2478-46CC-B85E-7E74FA544F0A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51040173-2478-46CC-B85E-7E74FA544F0A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{51040173-2478-46CC-B85E-7E74FA544F0A}\InprocServer32]
@="C:\\WINDOWS\\system32\\spdocvw.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{3B828DF8-3DB4-44B0-A094-E52F8351EDA6}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B828DF8-3DB4-44B0-A094-E52F8351EDA6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B828DF8-3DB4-44B0-A094-E52F8351EDA6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{3B828DF8-3DB4-44B0-A094-E52F8351EDA6}\InprocServer32]
@="C:\\WINDOWS\\system32\\ptflbmsg.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{D4C35503-0523-4E14-9073-D6CEF483D58A}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D4C35503-0523-4E14-9073-D6CEF483D58A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D4C35503-0523-4E14-9073-D6CEF483D58A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{D4C35503-0523-4E14-9073-D6CEF483D58A}\InprocServer32]
@="C:\\WINDOWS\\system32\\dpstyle.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EDAD5464-FE7A-4D06-A68F-DC2900527A2D}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAD5464-FE7A-4D06-A68F-DC2900527A2D}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAD5464-FE7A-4D06-A68F-DC2900527A2D}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{EDAD5464-FE7A-4D06-A68F-DC2900527A2D}\InprocServer32]
@="C:\\WINDOWS\\system32\\mfvcrt40.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{7BA9E3A9-AC70-42FE-8902-F3C1BBCF29BE}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7BA9E3A9-AC70-42FE-8902-F3C1BBCF29BE}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7BA9E3A9-AC70-42FE-8902-F3C1BBCF29BE}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{7BA9E3A9-AC70-42FE-8902-F3C1BBCF29BE}\InprocServer32]
@="C:\\WINDOWS\\system32\\cWtsrvps.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{489251CE-8AFA-43B7-89AE-7CD83CEC82F9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{489251CE-8AFA-43B7-89AE-7CD83CEC82F9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{489251CE-8AFA-43B7-89AE-7CD83CEC82F9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{489251CE-8AFA-43B7-89AE-7CD83CEC82F9}\InprocServer32]
@="C:\\WINDOWS\\system32\\cybcatq.dll"
"ThreadingModel"="Apartment"

Ihatespyware
2005-12-27, 10:25
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
browseui.dll Thu 24 Nov 2005 1:39:20 A.... 1.022.464 998,50 K
cdfview.dll Fri 21 Oct 2005 4:41:54 A.... 151.552 148,00 K
child.dll Sun 25 Dec 2005 17:59:30 A.... 14.336 14,00 K
cmdlin~1.dll Fri 23 Dec 2005 19:17:40 A.... 98.304 96,00 K
cwtsrvps.dll Mon 26 Dec 2005 19:50:24 ..S.R 233.991 228,50 K
cybcatq.dll Tue 27 Dec 2005 8:04:32 ..S.R 235.782 230,25 K
d3dx9_28.dll Mon 5 Dec 2005 18:09:18 A.... 2.323.664 2,21 M
danim.dll Sat 5 Nov 2005 4:20:32 A.... 1.057.280 1,01 M
divx.dll Wed 7 Dec 2005 18:05:52 A.... 573.952 560,50 K
divx_x~1.dll Wed 7 Dec 2005 18:05:50 A.... 679.936 664,00 K
divx_x~2.dll Wed 7 Dec 2005 18:05:50 A.... 679.936 664,00 K
divx_x~3.dll Wed 7 Dec 2005 18:05:50 A.... 663.552 648,00 K
dpl100.dll Thu 27 Oct 2005 20:37:46 A.... 86.016 84,00 K
dpstyle.dll Mon 26 Dec 2005 8:28:10 ..S.R 236.180 230,64 K
dpu10.dll Thu 27 Oct 2005 20:37:44 A.... 294.912 288,00 K
dpu11.dll Thu 27 Oct 2005 20:37:44 A.... 294.912 288,00 K
dpugui10.dll Thu 27 Oct 2005 20:37:48 A.... 53.248 52,00 K
dpugui11.dll Thu 27 Oct 2005 20:37:46 A.... 593.920 580,00 K
dpus11.dll Thu 27 Oct 2005 20:37:44 A.... 339.968 332,00 K
dpv11.dll Thu 27 Oct 2005 20:37:44 A.... 57.344 56,00 K
dtu100.dll Thu 27 Oct 2005 20:37:44 A.... 200.704 196,00 K
dxtrans.dll Fri 21 Oct 2005 4:41:54 A.... 205.312 200,50 K
esent.dll Thu 20 Oct 2005 23:31:14 A.... 1.092.096 1,04 M
extmgr.dll Fri 21 Oct 2005 4:41:54 A.... 55.808 54,50 K
gdi32.dll Thu 6 Oct 2005 4:19:02 A.... 280.064 273,50 K
gmgqe.dll Tue 27 Dec 2005 9:18:52 A.... 24.064 23,50 K
iepeers.dll Fri 21 Oct 2005 4:41:54 A.... 251.392 245,50 K
inseng.dll Fri 21 Oct 2005 4:41:54 A.... 96.768 94,50 K
jtp407~1.dll Tue 27 Dec 2005 9:16:32 ..S.R 235.782 230,25 K
legitc~1.dll Fri 4 Nov 2005 16:27:24 A.... 534.280 521,76 K
libdivx.dll Wed 28 Sep 2005 19:50:06 A.... 1.044.480 1020,00 K
lvr809~1.dll Mon 26 Dec 2005 19:51:10 ..S.R 233.991 228,50 K
mfvcrt40.dll Mon 26 Dec 2005 16:34:00 ..S.R 233.991 228,50 K
mshtml.dll Thu 24 Nov 2005 1:39:22 A.... 3.013.632 2,87 M
mshtmled.dll Fri 21 Oct 2005 4:41:56 A.... 448.512 438,00 K
msrating.dll Fri 21 Oct 2005 4:41:56 A.... 146.432 143,00 K
mstime.dll Fri 21 Oct 2005 4:41:56 A.... 530.944 518,50 K
msupda~1.dll Sun 25 Dec 2005 17:59:26 A.... 36.864 36,00 K
pngfilt.dll Fri 21 Oct 2005 4:41:56 A.... 39.424 38,50 K
ptflbmsg.dll Sun 25 Dec 2005 20:05:06 ..S.R 236.180 230,64 K
qpqsoeu.dll Tue 27 Dec 2005 9:18:52 A.... 67.072 65,50 K
r66ulg~1.dll Mon 26 Dec 2005 11:18:08 ..S.R 236.180 230,64 K
s0rsla~1.dll Sun 25 Dec 2005 18:38:54 ..S.R 236.086 230,55 K
shdocvw.dll Thu 1 Dec 2005 4:33:22 A.... 1.492.480 1,42 M
shlwapi.dll Fri 21 Oct 2005 4:41:58 A.... 474.112 463,00 K
sirenacm.dll Thu 13 Oct 2005 0:11:06 A.... 118.784 116,00 K
spdocvw.dll Tue 27 Dec 2005 9:18:46 ..... 233.991 228,50 K
spmsg.dll Thu 13 Oct 2005 0:20:06 ..... 15.584 15,22 K
ssldivx.dll Wed 28 Sep 2005 19:50:04 A.... 200.704 196,00 K
ssldr32.dll Sun 25 Dec 2005 17:59:30 A.... 10.240 10,00 K
urlmon.dll Sat 5 Nov 2005 4:20:36 A.... 605.696 591,50 K
wbhelp2.dll Wed 21 Dec 2005 21:50:04 A.... 50.688 49,50 K
wininet.dll Fri 21 Oct 2005 4:41:58 A.... 661.504 646,00 K
xinput~1.dll Mon 5 Dec 2005 18:07:30 A.... 61.136 59,70 K

54 items found: 54 files (9 H/S), 0 directories.
Total of file sizes: 23.096.226 bytes 22,02 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Tue 27 Dec 2005 9:19:48 ..S.R 233.991 228,50 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 233.991 bytes 228,50 K
**********************************************************************************
Directory Listing of system files:
De volumenaam van station C is 437293
Het volumenummer is 78F9-8537

Map van C:\WINDOWS\System32

27-12-2005 09:19 233.991 guard.tmp
27-12-2005 09:16 235.782 jtp4077qe.dll
27-12-2005 08:04 235.782 cybcatq.dll
26-12-2005 19:51 233.991 lvr8099ue.dll
26-12-2005 19:50 233.991 cWtsrvps.dll
26-12-2005 16:33 233.991 mfvcrt40.dll
26-12-2005 11:18 236.180 r66ulgj916o.dll
26-12-2005 08:28 236.180 dpstyle.dll
25-12-2005 20:05 236.180 ptflbmsg.dll
25-12-2005 18:38 236.086 s0rsla971d.dll
21-12-2005 20:19 <DIR> dllcache
08-11-2005 04:35 <DIR> Microsoft
10 bestand(en) 2.352.154 bytes
2 map(pen) 209.221.332.992 bytes beschikbaar

LonnyRJones
2005-12-27, 16:27
Hi
Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

Ihatespyware
2005-12-27, 19:52
Hi
Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

second.bat doenst work.
I double clicked it, then it opens a new window called second.bat, it says Killing Processen! and nothing happands :(

LonnyRJones
2005-12-27, 19:57
Hi

Are you logged into the pc in an account with administrative rights ?

I did not suggest running second bat manualy

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
echo Searching please wait....
(@echo off
For %%i in (%windir%\system32) do findstr /M "WinShutdown" %%i\*.dll
For %%i in (%windir%\system32) do findstr /M "WinShutdown" %%i\*.tmp
)>logit.txt 2>&1
notepad logit.txt

Run check.bat and pot the logit text

Once that is posted do not restart your PC

Ihatespyware
2005-12-27, 20:11
Hi

Are you logged into the pc in an account with administrative rights ?

I did not suggest running second bat manualy

Copy the contents of the quote box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.

Run check.bat and pot the logit text

Once that is posted do not restart your PC


Yes im logged in with my main account

Logit.txt:

C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\jt4207hoe.dll
C:\WINDOWS\system32\k880lilm18qa.dll
C:\WINDOWS\system32\kS80lilm18qa.dll
C:\WINDOWS\system32\m6640gjqe6oe0.dll
C:\WINDOWS\system32\mlvcp60.dll
FINDSTR: cannot open C:\WINDOWS\system32\jt2407fqe.dll
FINDSTR: cannot open C:\WINDOWS\system32\l20u0cd9ef0.dll niet openen
FINDSTR: cannot open C:\WINDOWS\system32\mmxoci.dll niet openen

LonnyRJones
2005-12-27, 20:32
Thanks

what language operating system is this ?
what is the equivalent spelling for administrators in your language ?

Sometimes this method takes a few tries, stick with us.
Download Pocket Killbox
http://www.downloads.subratam.org/KillBox.exe
Start Killbox place a tick next to [x]replace on reboot and use dummy.
Copy this whole list into the windows clipboard, all the Bolded below.

C:\WINDOWS\system32\dNdxof.dll
C:\WINDOWS\system32\jt4207hoe.dll
C:\WINDOWS\system32\k880lilm18qa.dll
C:\WINDOWS\system32\kS80lilm18qa.dll
C:\WINDOWS\system32\m6640gjqe6oe0.dll
C:\WINDOWS\system32\mlvcp60.dll
C:\WINDOWS\system32\jt2407fqe.dll
C:\WINDOWS\system32\l20u0cd9ef0.dll
C:\WINDOWS\system32\mmxoci.dll



Back in Killbox go > file > paste from clipboard, Go Options > 8.3 names and place a check next to use short names. click the All files button
Click the red highlighted X button and say yes to the prompt
After the pc has completly restarted run findl2m.bat again and post its log

Ihatespyware
2005-12-28, 12:01
Hi,

Thx for that program I dont get anymore popups and my internet is running smooth :bigthumb:

But I feel like I didnt got rid of everything yet..

My hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 10:52:07, on 28-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MESSEN~1\Msmsgs.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Bryan\Bureaublad\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "c:\PROGRA~1\MESSEN~1\Msmsgs.exe" /background
O4 - HKCU\..\Run: [eMuleAutoStart] C:\Program Files\eMule\emule.exe -AutoStart
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/nl/4,0,0,90/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/nl/1,0,0,23/mcgdmgr.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\d6j0lg1m16.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

I uploaded my L2Mfix log to my site because its toooo looonngg ( there was something wrong with winlogin.exe )

log.txt (http://warcraftpl.com/log.txt)

LonnyRJones
2005-12-28, 13:30
Hello

Fix this item with Hijackthis
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\d6j0lg1m16.dll (file missing)

Did you run l2mfix option two again after using killbox ? or was that the first log ?

Run Killbox again using delete on reboot for these files

C:\WINDOWS\SYSTEM32\child.dll
C:\WINDOWS\SYSTEM32\msupda~1.dll
C:\WINDOWS\SYSTEM32\ssldr32.dll


Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ?

Ihatespyware
2005-12-29, 11:53
First time l2mfix didnt work because i wasnt patient enough, 2nd time i waited and it worked.

C:\WINDOWS\SYSTEM32\child.dll
C:\WINDOWS\SYSTEM32\msupda~1.dll
C:\WINDOWS\SYSTEM32\ssldr32.dll

all of them doenst exist.


Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Replace it about once monthly
How did that go ? why do i need this and does it do?


Thnx for your replies and help :)

LonnyRJones
2005-12-29, 14:44
Hi

Did you look for tha file's manualy or use killbox on them by pasteing in the list ?
becouse they are there i believe
There is a great explination of what a hosts file does at that website
http://www.mvps.org/winhelp2002/hosts.htm
Basicly It helps keep us from getting infeced

tashi
2006-01-03, 00:45
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please pm me or one of the forum mods.